I do put TVs on a separate VLAN and also cameras, phones, IoT stuff (those get the SEWER VLAN). I run a pfSense router and am seriously considering SSL splice in Squid in transparent mode for some of that lot. SSL Splice is nearly a MitM but does not need trustable faked SSL certificates, but you do get more logging and the ability to make certain URLs vanish. Now if the security of the device is crap enough to believe faked certs then why not try the full Bump and see what the bloody thing is really up to ...
If nothing else my SEWER VLAN has a very strange view of DNS (thanks pfBlocker) and a rather limited view of the internet as a whole.
If nothing else my SEWER VLAN has a very strange view of DNS (thanks pfBlocker) and a rather limited view of the internet as a whole.
Squid docs on Bump etc: https://wiki.squid-cache.org/Features/SslPeekAndSplice